UI terminology for calculated validities
mailinglisten at hauke-laging.de
Fri Apr 25 04:49:30 CEST 2014
Am Do 24.04.2014, 11:13:22 schrieb Peter Lebbing:
> I think "authenticity" covers the overtones much better than
> "validity", now that you mention it. It even makes me wonder why it
> wasn't chosen in the first place :). You have convinced me that it is
> the better term to use.
> I'm not enthousiastic about "ownership", because it feels like a
> synonym to "User ID" in OpenPGP context.
I second that. "Ownership" is much to close to "ownertrust".
But I would also point out that "authenticity" sound very much like
"this key is authentic" which is a problem for at least two reasons:
a) Many keys are certified without being verified. This is IMHO not so
much a problem if this is transparent. Think of --ask-cert-level. BTW: I
really don't like the --min-cert-level default to be 2 because this
forces the users to either ignore this level (setting 0) or to "lie"
which also reduces the "authenticity".
b) There are user IDs with which it becomes strange to speak of
"authenticity". E.g. if it is only an email address
(sevgseuiuzh at example.org).
Certifying a key (especially if locally only) is more a technical
decision than a proof of "authenticity. But I doubt that "validity" vs.
"authenticity" makes a difference in this regard. The German term for
valid does not sound like that to me.
Thus I would like to offer "accepted" as a possible alternative. I guess
that shows the user decision. Maybe even as a combination: "authenticity
Is it a good idea to use the same terms for both the key itself and user
IDs? The terminology should make sense to non-technical people
especially from the perspective that a "valid" key (certificate) can
contain "invalid" user IDs.
As different keys (especially fake ones) can contain exactly the same
user ID it seems strange to me to apply the term "authenticity" to a
user ID. The key is authentic for this user ID (in contrast to other
keys which may have the same).
Even worse: Even an invalid (but formerly valid) key is still
"authentic". At least from my understanding of language. "Accepted" does
not have this problem (neither "valid").
We could say: An accepted user ID makes a key valid. Certain additional
steps during accepting (certifying) – like --ask-cert-level or (yet to
be defined) signature notations – MAY make the key not only "valid"
(technical part) but also "authentic" (organizational part).
In order to help people use crypto right the terminology should help the
people become aware of important differences – like validity and
authenticity. Speaking of "authenticity" only may support the creation
of an illusion of security.
Maybe we are not even the right group to discuss that. Maybe that should
be discussed by new users after being told about the technical and
organizational states which the language shall easily understandably
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users